Google will enhance Chrome web browser security for Windows

Google Chrome web browser developers promise to refuse the services of the infamous win32k.sys driver on modern versions of Windows 8+. It is about so-called. sandboxed processes, in contexts of which the code of web pages is executed and displayed. Chrome uses a special security scheme for its browser (sandbox), based on the launch of each tab created in the context of a separate process, which is not allowed to perform critical OS functions due to so-called. Deny SID in the access token of these processes, as well as the restrictions imposed by the special task object.



The win32k.sys driver itself is used by the web browser, like any other GUI applications in Windows, to draw windows and GUI elements. Chrome draws the GUI of its web pages from a single process, which is called a broker, but other sandboxed processes do not need its services, however, they still have to use it.
')
Last summer, for Chrome, the special option --enable_win32k_renderer_lockdown appeared, which allowed you to perform the same operation that will appear in upcoming Chrome releases. The prohibition of the use of win32k.sys is due to purely practical security issues. The vast majority of exploits for Windows, which allow an attacker to bypass the sandbox mechanism and raise its privileges in the system to the maximum possible level, are based precisely on the vulnerabilities of the win32k.sys driver. Recently, the last Pwn2Own 2015 was confirmed.